<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Implementer Draft: REST API OAuth 1.0 to 1.0a (Draft)</title>
<meta http-equiv="Expires" content="Tue, 01 Sep 2009 04:17:26 +0000">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="REST API OAuth 1.0 to 1.0a (Draft)">
<meta name="generator" content="xml2rfc v1.33 (http://xml.resource.org/)">
<style type='text/css'><!--
        body {
                font-family: verdana, charcoal, helvetica, arial, sans-serif;
                font-size: small; color: #000; background-color: #FFF;
                margin: 2em;
        }
        h1, h2, h3, h4, h5, h6 {
                font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
                font-weight: bold; font-style: normal;
        }
        h1 { color: #900; background-color: transparent; text-align: right; }
        h3 { color: #333; background-color: transparent; }

        td.RFCbug {
                font-size: x-small; text-decoration: none;
                width: 30px; height: 30px; padding-top: 2px;
                text-align: justify; vertical-align: middle;
                background-color: #000;
        }
        td.RFCbug span.RFC {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: bold; color: #666;
        }
        td.RFCbug span.hotText {
                font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: normal; text-align: center; color: #FFF;
        }

        table.TOCbug { width: 30px; height: 15px; }
        td.TOCbug {
                text-align: center; width: 30px; height: 15px;
                color: #FFF; background-color: #900;
        }
        td.TOCbug a {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
                font-weight: bold; font-size: x-small; text-decoration: none;
                color: #FFF; background-color: transparent;
        }

        td.header {
                font-family: arial, helvetica, sans-serif; font-size: x-small;
                vertical-align: top; width: 33%;
                color: #FFF; background-color: #666;
        }
        td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
        td.author-text { font-size: x-small; }

        /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
        a.info {
                /* This is the key. */
                position: relative;
                z-index: 24;
                text-decoration: none;
        }
        a.info:hover {
                z-index: 25;
                color: #FFF; background-color: #900;
        }
        a.info span { display: none; }
        a.info:hover span.info {
                /* The span will display just on :hover state. */
                display: block;
                position: absolute;
                font-size: smaller;
                top: 2em; left: -5em; width: 15em;
                padding: 2px; border: 1px solid #333;
                color: #900; background-color: #EEE;
                text-align: left;
        }

        a { font-weight: bold; }
        a:link    { color: #900; background-color: transparent; }
        a:visited { color: #633; background-color: transparent; }
        a:active  { color: #633; background-color: transparent; }

        p { margin-left: 2em; margin-right: 2em; }
        p.copyright { font-size: x-small; }
        p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
        table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
        td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }

        ol.text { margin-left: 2em; margin-right: 2em; }
        ul.text { margin-left: 2em; margin-right: 2em; }
        li      { margin-left: 3em; }

        /* RFC-2629 <spanx>s and <artwork>s. */
        em     { font-style: italic; }
        strong { font-weight: bold; }
        dfn    { font-weight: bold; font-style: normal; }
        cite   { font-weight: normal; font-style: normal; }
        tt     { color: #036; }
        tt, pre, pre dfn, pre em, pre cite, pre span {
                font-family: "Courier New", Courier, monospace; font-size: small;
        }
        pre {
                text-align: left; padding: 4px;
                color: #000; background-color: #CCC;
        }
        pre dfn  { color: #900; }
        pre em   { color: #66F; background-color: #FFC; font-weight: normal; }
        pre .key { color: #33C; font-weight: bold; }
        pre .id  { color: #900; }
        pre .str { color: #000; background-color: #CFF; }
        pre .val { color: #066; }
        pre .rep { color: #909; }
        pre .oth { color: #000; background-color: #FCF; }
        pre .err { background-color: #FCC; }

        /* RFC-2629 <texttable>s. */
        table.all, table.full, table.headers, table.none {
                font-size: small; text-align: center; border-width: 2px;
                vertical-align: top; border-collapse: collapse;
        }
        table.all, table.full { border-style: solid; border-color: black; }
        table.headers, table.none { border-style: none; }
        th {
                font-weight: bold; border-color: black;
                border-width: 2px 2px 3px 2px;
        }
        table.all th, table.full th { border-style: solid; }
        table.headers th { border-style: none none solid none; }
        table.none th { border-style: none; }
        table.all td {
                border-style: solid; border-color: #333;
                border-width: 1px 2px;
        }
        table.full td, table.headers td, table.none td { border-style: none; }

        hr { height: 1px; }
        hr.insert {
                width: 80%; border-style: none; border-width: 0;
                color: #CCC; background-color: #CCC;
        }
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Implementer Draft</td><td class="header">naf.  OAuth Implementation Changes</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">August 2009</td></tr>
</table></td></tr></table>
<h1><br />REST API OAuth 1.0 to 1.0a (Draft)</h1>

<h3>Abstract</h3>

<p>The API team discussed and decided to research the tasks needed to update our current OAuth lib to support version 1.0a: http://oauth.net/core/1.0a so that consumers can use the new features available in this version of OAuth.
</p>
<p>
				This flow is a draft and will change over time. This flow assumes all decision points are green.  Any decisions that result in rejections will loop back into the process
		  
</p><a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>&nbsp;
Authors<br />
<a href="#anchor2">2.</a>&nbsp;
Notation and Conventions<br />
<a href="#anchor3">3.</a>&nbsp;
Definitions<br />
<a href="#anchor4">4.</a>&nbsp;
Changes<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#differences">4.1.</a>&nbsp;
Differences<br />
<a href="#anchor5">5.</a>&nbsp;
Current Fellowship One REST API OAuth implementation changes<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#2nd">5.1.</a>&nbsp;
2nd Party credentials based authentication basic workflow (No Change)<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#3rd">5.2.</a>&nbsp;
3rd Party Oauth 1.0a based authentication basic workflow<br />
<a href="#Considerations">6.</a>&nbsp;
Considerations<br />
<a href="#rfc.references1">7.</a>&nbsp;
References<br />
<a href="#rfc.authors">&#167;</a>&nbsp;
Author's Address<br />
</p>
<br clear="all" />

<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.&nbsp;
Authors</h3>

<p>
				</p>
<blockquote class="text">
<p>Jas Singh (jsingh@fellowshiptech.com)
</p>
<p>Nick Floyd (nfloyd@fellowshiptech.com), Editor
</p>
</blockquote><p>
			
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.&nbsp;
Notation and Conventions</h3>

<p>
				The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
				"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
				document are to be interpreted as described in <a class='info' href='#RFC2119'>[RFC2119]<span> (</span><span class='info'>Bradner, B., &ldquo;Key words for use in RFCs to Indicate Requirement Levels,&rdquo; .</span><span>)</span></a>.
				Domain name examples use <a class='info' href='#RFC2606'>[RFC2606]<span> (</span><span class='info'>Eastlake, D. and A. Panitz, &ldquo;Reserved Top Level DNS Names,&rdquo; .</span><span>)</span></a>.
			
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.&nbsp;
Definitions</h3>

<p>
				</p>
<blockquote class="text"><dl>
<dt>oauth_callback_confirmed:</dt>
<dd>
							MUST be present and set to true. The Consumer MAY use this to confirm that the Service Provider received the callback value. 
						
</dd>
<dt>oauth_verifier:</dt>
<dd>
						The verification code. 
					  
</dd>
<dt>oauth_callback:</dt>
<dd>
						An absolute URL to which the Service Provider will redirect the User back when the Obtaining User Authorization (Obtaining User Authorization) step is completed. If the Consumer is unable to receive callbacks or a callback URL has been established via other means, the parameter value MUST be set to oob (case sensitive), to indicate an out-of-band configuration. 
					  
</dd>
<dt>Fellowship One REST OAuth Definitions</dt>
<dd>
						All definitions from this implementation come from the <a class='info' href='#FellowshipOneOAuth'>[FellowshipOneOAuth]<span> (</span><span class='info'>Floyd, N., &ldquo;Fellowship One OAuth Implementation,&rdquo; .</span><span>)</span></a>. 
					  
</dd>
</dl></blockquote><p>
			
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.&nbsp;
Changes</h3>

<p>The following outlines the differences between <a class='info' href='#OAuth1_0'>[OAuth1_0]<span> (</span><span class='info'>Hammer, E., &ldquo;OAuth 1.0,&rdquo; .</span><span>)</span></a> and <a class='info' href='#OAuth1_0a'>[OAuth1_0a]<span> (</span><span class='info'>Hammer, E., &ldquo;OAuth 1.0a,&rdquo; .</span><span>)</span></a>.
</p>
<a name="differences"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4.1"></a><h3>4.1.&nbsp;
Differences</h3>

<p>
						</p>
<blockquote class="text">
<p>Section 6.1.1 (Consumer Obtains a Request token)
</p>
<p><tt>ADDED</tt> oauth_callback 
</p>
<p>
								</p>
<blockquote class="text"><dl>
<dt></dt>
<dd>An absolute URL to which the Service Provider will redirect the User back when the Obtaining User Authorization (Obtaining User Authorization) step is completed. If the Consumer is unable to receive callbacks or a callback URL has been established via other means, the parameter value MUST be set to oob (case sensitive), to indicate an out-of-band configuration. 
</dd>
</dl></blockquote>
							

<p>Section 6.1.2 (Service provider Issues an Unauthorized Request Token)
</p>
<p><tt>ADDED</tt> oauth_callback_confirmed
</p>
<p>
								</p>
<blockquote class="text"><dl>
<dt></dt>
<dd>MUST be present and set to true. The Consumer MAY use this to confirm that the Service Provider received the callback value.
</dd>
</dl></blockquote>
							

<p>Section 6.2.1 Consumer Directs the User to the Service Provider
</p>
<p><tt>REMOVED</tt> oauth_callback
</p>
<p>
								</p>
<blockquote class="text"><dl>
<dt></dt>
<dd>	OPTIONAL. The Consumer MAY specify a URL the Service Provider will use to redirect the User back to the Consumer when Obtaining User Authorization (Obtaining User Authorization) is complete.
</dd>
</dl></blockquote>
							

<p>Section 6.2.3 Service Provider Directs the User Back to the Consumer
</p>
<p><tt>ADDED</tt> oauth_verifier
</p>
<p>
								</p>
<blockquote class="text"><dl>
<dt></dt>
<dd>	The verification code. If the Consumer did not provide a callback URL, the Service Provider SHOULD display the value of the verification code, and instruct the User to manually inform the Consumer that authorization is completed.
</dd>
</dl></blockquote>
							

<p>Section 6.3.1 Consumer Requests an Access Token
</p>
<p><tt>ADDED</tt> oauth_verifier
</p>
<p>
								</p>
<blockquote class="text"><dl>
<dt></dt>
<dd>	The verification code received from the Service Provider in the Service Provider Directs the User Back to the Consumer (Service Provider Directs the User Back to the Consumer) step. 
</dd>
</dl></blockquote>
							

<p>Section 6.3.2 Service Provider Grants an Access Token
</p>
<p><tt>ADDED</tt> Under "The Service Provider MUST ensure that:"
</p>
<p>
								</p>
<blockquote class="text"><dl>
<dt></dt>
<dd>The verification code received from the Consumer has been successfully verified.
</dd>
</dl></blockquote>
							

</blockquote><p>
					
</p>
<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.&nbsp;
Current Fellowship One REST API OAuth implementation changes</h3>

<a name="2nd"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.1"></a><h3>5.1.&nbsp;
2nd Party credentials based authentication basic workflow (No Change)</h3>

<p>1. Consumer Application collects the User's credentials directly
</p>
<p>2. Consumer Application concatenates the user name and password with a space and base64 encodes the credentials
</p>
<p>3. Consumer Application puts the encoded credentials in the body of the request (no parameter assignment, just put the bytes in the request)
</p>
<p>
					</p>
<blockquote class="text">
<p>the consumer is using the accept header value: application/x-www-form-urlencoded then the consumer must pass the credentials using the following format 
</p>
<p>
								</p>
<blockquote class="text">
<p>ec=bXZhc3F1ZXogcGEkJHcwcmQ%3d
</p>
<p>Credentials must be URL Encoded after they are base64 encoded
</p>
</blockquote>
							

</blockquote><p> 
				
</p>
<p>4. Consumer Application posts them to the following URI depending on what user type your using:
</p>
<p>
					</p>
<blockquote class="text">
<p>This request is signed using OAuth signing requests
</p>
<p>Portal User: [POST] https://demo.fellowshiponeapi.com/v1/PortalUser/AccessToken
</p>
<p>Weblink User: [POST] https://demo.fellowshiponeapi.com/v1/WeblinkUser/AccessToken
</p>
</blockquote><p>
				
</p>
<p>5. The Service Provider will hand the Consumer Application back an Access Token via: 
</p>
<p>
					</p>
<blockquote class="text">
<p>Response body: ex. oauth_token=afd011d3-fbd3-4c69-8326-a24fad8d0c34&amp;oauth_token_secret=ab86c226-fc65-4d32-a33c-8b54a753655e
</p>
<p>Header:
</p>
<p>
							</p>
<blockquote class="text">
<p>oauth_token=afd011d3-fbd3-4c69-8326-a24fad8d0c34
</p>
<p>oauth_token_secret=ab86c226-fc65-4d32-a33c-8b54a753655e
</p>
</blockquote>
						

</blockquote><p>
				
</p>
<p>6. The Consumer Application will also get a link to the person via Content-Location header: 
</p>
<p>
				</p>
<blockquote class="text">
<p>
						 Ex. Content-Location=https://demo.fellowshiponeapi.com/v1/People/123	
					
</p>
</blockquote><p>
				
</p>
<p>7. The Consumer Application will access the User's data using the Access Token and Token Secret
</p>
<a name="3rd"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2"></a><h3>5.2.&nbsp;
3rd Party Oauth 1.0a based authentication basic workflow</h3>

<p>1. Consumer Application requests an unauthenticated Request Token
</p>
<p>
					</p>
<blockquote class="text">
<p>This request is signed using OAuth signing requests
</p>
<p><tt>The consumer will pass in the oauth_callback parameter</tt>
</p>
<p>[GET] https://demo.fellowshiponeapi.com/v1/Tokens/RequestToken
</p>
<p>[POST] https://demo.fellowshiponeapi.com/v1/Tokens/RequestToken 
</p>
<p>
							</p>
<blockquote class="text">
<p>Required header when using the [POST] verb - Content-Length: 0
</p>
</blockquote>
						

</blockquote><p>
				
</p>
<p>2. Service Provider passes back an unauthorized Request Token 
</p>
<p>
					</p>
<blockquote class="text">
<p>Response body: ex. oauth_token=afd011d3-fbd3-4c69-8326-a24fad8d0c34&amp;oauth_token_secret=ab86c226-fc65-4d32-a33c-8b54a753655e&amp;<tt>oauth_callback_confirmed=true</tt>
</p>
</blockquote><p>
				
</p>
<p>3. Consumer Application requests user authorization via redirect
</p>
<p>
					</p>
<blockquote class="text">
<p>This request is signed using OAuth signing requests 
</p>
<p>The oauth_callback parameter is not passed in here
</p>
<p>
							</p>
<blockquote class="text">
<p>The Consumer Application will sign the request using the Request Token and Token Secret
</p>
<p>The Consumer Application will pass the Request Token via url 
</p>
<p>
									</p>
<blockquote class="text">
<p>ex. https://demo.fellowshiponeapi.com/v1/PortalUser/Login?oauth_token=afd011d3-fbd3-4c69-8326-a24fad8d0c34
</p>
</blockquote>
								

</blockquote>
						

<p>
							</p>
<blockquote class="text">
<p>The Consumer Application may pass a callback url via url (optional) 
</p>
<p>
									</p>
<blockquote class="text">
<p>ex. https://demo.fellowshiponeapi.com/v1/PortalUser/Login?oauth_token=afd011d3-fbd3-4c69-8326-a24fad8d0c34&amp;oauth_callback=http://www.myconsumerapp.com/home
</p>
</blockquote>
								

</blockquote>
						

<p>Portal User: https://demo.fellowshiponeapi.com/v1/PortalUser/Login
</p>
<p>
							</p>
<blockquote class="text">
<p>User logging in must be linked to a person in the Fellowship One Portal application
</p>
</blockquote>
						

<p>Weblink User: https://demo.fellowshiponeapi.com/v1/WeblinkUser/Login
</p>
</blockquote><p>
				
</p>
<p>4. The User enters their credentials in using the Service Provider's interface
</p>
<p>5. The User will either Accept or Deny the request
</p>
<p>
					</p>
<blockquote class="text">
<p>The Service Provider will send back the oauth_verifier parameter to the Consumer Application 
</p>
<p>If the User allows access then the Service Provider authenticates the Request Token
</p>
<p>
							</p>
<blockquote class="text">
<p><tt>Service Provider uses the oauth_callback parameter that was provided to the Service Provider during (Consumer Obtains a Request Token) and sends the User back to the Consumer Application</tt>
</p>
<p>
									</p>
<blockquote class="text">
<p>ex. Redirect http://www.myconsumerapp.com/home?oauthtoken=afd011d3-fbd3-4c69-8326-a24fad8d0c34&amp;<tt>oauth_verifier=hfdp7dh39dks9884</tt>
</p>
</blockquote>
								

<p><tt>If no oauth_callback parameter was provided to the Service Provider during (Consumer Obtains a Request Token) the Service Provider sends the User to another page with the authorized Request Token written in the body with the oauth_verifier parameter</tt>
</p>
</blockquote>
						

<p> If the User denies access then the Service Provider marks the Request Token as revoked
</p>
<p>
							</p>
<blockquote class="text">
<p><tt>Service Provider uses the oauth_callback parameter that was provided to the Service Provider during (Consumer Obtains a Request Token) and sends the User back to the Consumer Application</tt>
</p>
<p>
									</p>
<blockquote class="text">
<p>ex. Redirect http://www.myconsumerapp.com/home?permissiondenied=The+user+has+denied+access+to+all+protected+resources. (OAuth problem reporting extension)
</p>
</blockquote>
								

<p><tt>If no oauth_callback parameter was provided to the Service Provider during (Consumer Obtains a Request Token) the Service Provider  sends the User to another page stating that Request Token has been revoked</tt>
</p>
</blockquote>
						

</blockquote><p>
				
</p>
<p>6. The Consumer Application will take the Authorized Request Token and it's corresponding Token Secret and request an Access Token 
</p>
<p>
					</p>
<blockquote class="text">
<p>This request is signed using OAuth signing requests
</p>
<p><tt>Consumer Application must pass in the oauth_verifier parameter with this request</tt>
</p>
<p>
							</p>
<blockquote class="text">
<p>The Consumer Application will sign the request using the Authenticated Request Token and Token Secret
</p>
<p>The Consumer Application will pass the Authenticated Request Token via ur
</p>
</blockquote>
						

<p>[GET] https://demo.fellowshiponeapi.com/v1/Tokens/AccessToken
</p>
<p>[POST] https://demo.fellowshiponeapi.com/v1/Tokens/AccessToken
</p>
<p>
							</p>
<blockquote class="text">
<p>Required header when using the [POST] verb - Content-Length: 0
</p>
</blockquote>
						

</blockquote><p>
				
</p>
<p>7. The Service Provider will hand the Consumer Application back an Access Token via: 
</p>
<p>
					</p>
<blockquote class="text">
<p><tt>Service Provider will verify the verification code provided by the Consumer</tt>
</p>
<p>Response body: ex. oauth_token=afd011d3-fbd3-4c69-8326-a24fad8d0c34&amp;oauth_token_secret=ab86c226-fc65-4d32-a33c-8b54a753655e
</p>
<p>Header:
</p>
<p>
							</p>
<blockquote class="text">
<p>oauth_token=afd011d3-fbd3-4c69-8326-a24fad8d0c34
</p>
<p>oauth_token_secret=ab86c226-fc65-4d32-a33c-8b54a753655e
</p>
</blockquote>
						

</blockquote><p>
				
</p>
<p>8. The Consumer Application will also get a link to the person via Content-Location header: 
</p>
<p>
					</p>
<blockquote class="text">
<p>ex. Content-Location=https://demo.fellowshiponeapi.com/v1/People/123
</p>
</blockquote><p>
				
</p>
<p>9. The Consumer Application will access the User's data using the Access Token and Token Secret
</p>
<a name="Considerations"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.&nbsp;
Considerations</h3>

<p>The oauth_callback parameter will need to be stored with the request_token
</p>
<p>The oauth_verifier value will need to be stored with the authenticated request_token
</p>
<p>We will have to label all parameters 1.0 or 1.0a specific or inclusive
</p>
<p>When 1.0a is used the querystring for oauth_callback will be ignored and the one stored with the request_token will be used
</p>
<p>The oauth_verifier parameter should be unique and should be stored 
</p>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<h3>7.&nbsp;References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="FellowshipOneOAuth">[FellowshipOneOAuth]</a></td>
<td class="author-text">Floyd, N., &ldquo;<a href="https://demo.fellowshiponeapi.com/v1/Util/AuthDocs.help">Fellowship One OAuth Implementation</a>.&rdquo;</td></tr>
<tr><td class="author-text" valign="top"><a name="FellowshipOneRESTAPI">[FellowshipOneRESTAPI]</a></td>
<td class="author-text">Floyd, N., &ldquo;<a href="http://developer.fellowshipone.com">Fellowship One REST API</a>.&rdquo;</td></tr>
<tr><td class="author-text" valign="top"><a name="OAuth1_0">[OAuth1_0]</a></td>
<td class="author-text">Hammer, E., &ldquo;<a href="http://oauth.net/core/1.0">OAuth 1.0</a>.&rdquo;</td></tr>
<tr><td class="author-text" valign="top"><a name="OAuth1_0a">[OAuth1_0a]</a></td>
<td class="author-text">Hammer, E., &ldquo;<a href="http://oauth.net/core/1.0a">OAuth 1.0a</a>.&rdquo;</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text">Bradner, B., &ldquo;<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>,&rdquo; RFC&nbsp;2119.</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2606">[RFC2606]</a></td>
<td class="author-text">Eastlake, D. and A. Panitz, &ldquo;<a href="http://tools.ietf.org/html/rfc2606">Reserved Top Level DNS Names</a>,&rdquo; RFC&nbsp;2606.</td></tr>
</table>

<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<h3>Author's Address</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Fellowship One API Group</td></tr>
<tr><td class="author" align="right">Email:&nbsp;</td>
<td class="author-text"><a href="mailto:api@fellowshipone.com">api@fellowshipone.com</a></td></tr>
</table>
</body></html>

